Description
Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat parameter to manipulate database queries and extract sensitive information.
Published: 2026-03-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

Green CMS 2.x allows an authenticated user to inject arbitrary SQL through the 'cat' parameter in a GET request to index.php. The injection flaw maps to CWE-89 and enables attackers to read, modify or delete database records, thereby compromising confidentiality and integrity of the underlying data store.

Affected Systems

Affected vendors include Greencms. The product Green CMS 2.x, all releases in the 2.x line, is vulnerable. No finer version granularity is provided.

Risk and Exploitability

The CVSS score of 7.1 denotes a high severity vulnerability, however the EPSS score below 1% indicates low current exploitation likelihood. The flaw is not listed in the CISA KEV catalog. Because the attack requires authenticated access to admin functions, it is limited to users who can reach index.php with the m=admin, c=posts, a=index parameters, making it a network-based, authenticated exploitation vector. Defenders should prioritize applying a vendor fix and monitor for abnormal database activity.

Generated by OpenCVE AI on March 24, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch for Green CMS 2.x that eliminates the SQL injection in the cat parameter.
  • If no official patch exists, restrict access to the administrative posts index page (index.php?m=admin&c=posts&a=index) to a minimal set of trusted users and block the cat parameter from untrusted input.
  • Update the application code to use prepared statements or validate the cat parameter to prevent injection.
  • In the meantime, monitor administrative page accesses and database logs for signs of suspicious activity that could indicate exploitation.
  • Check the vendor’s website or support channels for any new releases or additional mitigations and apply them as soon as possible.

Generated by OpenCVE AI on March 24, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Njtech
Njtech greencms
CPEs cpe:2.3:a:njtech:greencms:*:*:*:*:*:*:*:*
Vendors & Products Njtech
Njtech greencms

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Greencms
Greencms greencms
Vendors & Products Greencms
Greencms greencms

Sat, 21 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat parameter to manipulate database queries and extract sensitive information.
Title Green CMS 2.x SQL Injection via cat Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Greencms Greencms
Njtech Greencms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T14:19:15.398Z

Reserved: 2026-03-21T15:23:32.640Z

Link: CVE-2019-25573

cve-icon Vulnrichment

Updated: 2026-03-24T14:18:34.877Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T16:16:00.753

Modified: 2026-03-24T16:39:34.547

Link: CVE-2019-25573

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:10Z

Weaknesses